After using OPENLDAP as a centralized authentication, you will find that all users under OpenLDAP can log on to the server, which is quite dangerous. So you see someone using a group to implement a user access server under OpenLDAP.
1. First set up the corresponding group on the OPENLDAP server
I set up a opsgroup,opsgroup gid under the OU for group 23794
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/86/E5/wKioL1fOXCvgDaXbAAEA5yK4gUY610.png "title=" Qq20160906140155.png "alt=" Wkiol1foxcvgdaxbaaea5yk4guy610.png "/>
2. I set up a user, or directly modify the primary group (primary group) of an account.
Notice here that the user's primary group is opsgroup.
650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M01/86/E5/wKioL1fOXfjAZztGAAHlMdxcXkc915.png "title=" 32.png "alt=" Wkiol1foxfjazztgaahlmdxcxkc915.png "/>
3. Create a User2 user does not belong to this group, is unable to log on to the server to do the comparison
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/86/E7/wKiom1fOXsiBW2d-AACXC6cqwTk058.png "title=" 2.png " alt= "Wkiom1foxsibw2d-aacxc6cqwtk058.png"/>
4. Test now
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/86/E6/wKioL1fOX4jRLyPeAACb0lIuChE128.png "title=" 111. PNG "alt=" Wkiol1fox4jrlypeaacb0liuche128.png "/>
Now User1 and User2 can log in to the client
5. Note that my client is CentOS 6.8, if it is a slightly different version of CentOS 5.x
echo "Filter passwd (gidnumber=23794)" >>/ETC/NSLCD.CONF/ETC/INIT.D/NSLCD restart
The group configured as GID 23794 can log on to the server, that is, the Opsgroup group user can log in
Note: Users who can log on to the server must be the primary group Opsgroup, or the user below the group will not be able to log in.
650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/86/E6/wKioL1fOYSDCj3FnAACTNtvGBng576.png "title=" 22.png "alt=" Wkiol1foysdcj3fnaactntvgbng576.png "/>
From the above test can see User1 can log on normally, and the primary group is not opsgroup User2 is unable to log in, through the control group to restrict the user to log on to the server
6. Script Automatic implementation of judgment
#!/bin/bashfunction get_gid () { ldapsearch -x gidnumber -b "cn=$1,ou=group,dc=vxuepin,dc=com" 2>/dev/null | grep "^gidnumber" | awk ' {print $2} '}function filter_on_centos5 () { #samples: #nss_base_passwd dc=vxuepin,dc=com?sub?gidNumber=1000 #nss_base_passwd dc=vxuepin,dc=com?sub?| (gidnumber=1000) (gidnumber=1003) cp /etc/ldap.conf /etc/ldap.conf. ' date +%Y%m%d ' local groups= "$" echo "***** getting filter" ***** " n=$ (echo $groups | awk -f ', ' ' {PRINT NF} ') if [ $n -eq 1 ];then gid=$ (get_gid $groups) [ -z $gid ] && { echo "Can ' t Find group $1 "; exit 3; } filter=" gidnumber= $gid " else filter=" | " for group in $ (echo $groups | sed ' s/,/ /g '); do gid=$ (get_gid $group) [ -z $ gid ] && { echo "Can ' t find group $group"; exit 3; } filter= "$filter" "(gidNumber=$ GID) " done fi Filter= "Nss_base_passwd dc=vxuePin,dc=com?sub? "" $filter " echo $filter echo " ***** config ldap.conf ***** " echo $filter >> /etc/ldap.conf}function  FILTER_ON_CENTOS6 () { #samples: #filter passwd (gidnumber=1000) #filter passwd (| ( gidnumber=1000) (gidnumber=1003)) cp /etc/nslcd.conf /etc/nslcd.conf. ' Date +%y%m%d ' local groups= ' echo ' ***** getting filter ***** " n=$ (echo $groups | awk -f ', ' ' {PRINT NF} ') if [ $n -eq 1 ];then gid=$ (get_gid $groups) [ -z $gid ] && { echo "Can ' t find group $1"; exit 3; } filter= "(gidnumber= $gid)" else filter= "(|" for group in $ (echo $groups | sed ' s/,/ /g '); do gid=$ (get_gid $group) [ -z $ gid ] && { echo "Can ' t find group $group"; exit 3; } filter= "$filter" "(gidNumber=$ GID) " done Filter= "$filter" ")" fi filter= "filter passwd $filter" echo $filter echo "***** restart nslcd *****" echo $filter >> /etc/nslcd.conf service nslcd restart}if [ -z $1 ];thenecho "Please input groupname"; exit 1fiif [ ' Uname -r|grep el6|wc -l ' -eq 1 ]; thenfilter_on_ centos6 $1;elif [ ' Uname -r|grep el5|wc -l ' -eq 1 ]; thenfilter_on_centos5 $1;elseecho "os unsupport!"; Fi
The above script reference http://opjasee.com/2016/01/24/openldap-group-filter.html, slightly changed
This article is from "Maple Night" blog, please be sure to keep this source http://fengwan.blog.51cto.com/508652/1846879
OpenLDAP Restricting User Login hosts